Browsing websites with valid SSL certificates is considered secure and encrypted. However, SSL certificate alone doesn’t keep websites safe. According to a new study, researchers continue to witness a growing number of phishing attacks that involve sites with an SSL certificate.
SSL certificates fail to ensure online safety!
New research highlights a surge in wire transfer loss caused by business email compromise (BEC) attacks. Researchers have also witnessed a 20 percent increase in BEC attacks targeting the social media sector.
According to a cybersecurity company PhishLabs, nearly 80 percent of phishing sites used SSL certificates during Q2 2020. Short for Secure Sockets Layer, SSL is an encryption-based Internet security protocol. SSL is designed to safeguard communication between users and websites.
Domain Validation (DV) vs Extended Validation (EV)
A Domain Validation (DV) certificate validates the domain name verifying ownership and control of the applicant over a DNS domain. DV certificates help websites prevent DNS spoofing.
An Extended Validation (EV) certificate validates the legal entity of the owner. EV certificates are signed by a certificate authority key. An EV certificate is considered the highest form of SSL certificate.
That said, researchers have also witnessed a growing number of websites using Extended Validation (EV) Certificates.
“The number of phishing sites using TLS continues to increase,” said John LaCour, Founder and CTO of PhishLabs. “Most web sites—good and bad—now use TLS. Phishers are hacking into legitimate web sites and placing their phishing files on those compromised sites.”
According to researchers, 91 percent of websites were using Domain Validated (DV) certificates. Researchers also discovered 27 sites that were using Extended Validation (EV) certificates, which indicate that a website is more trustworthy.
Other key findings
Interestingly, the total number of phishing sites decreased by 11 percent in Q2 2020 as compared to the preceding quarter. However, the number of unique phishing campaigns during Q2 2020 remained more or less the same.
Nearly 35 percent of all attacks had common targets: Webmail sites and Software as a Service (SaaS). Meanwhile, attacks targeting Facebook and WhatsApp saw a 20 percent jump.
72 percent of BEC attacks from free webmail accounts including Gmail. The majority of phishing emails were sent from email accounts hosted on domains registered by scammers.
In Q2 2020, financial losses incurred due to BEC attacks averaged $80,183 as compared to $54,000 in Q1 2020.
Read: HTTP vs HTTPS.